Compare commits

...

378 Commits

Author SHA1 Message Date
Arthur Baars
f4f81886d7 Java: update @id of experimental ExecTainted.ql query 2021-06-28 13:18:25 +02:00
Arthur Baars
e7a3ca2ed4 Revert "Java: remove duplicate query"
This reverts commit 0b59e408ba.
2021-06-28 13:15:10 +02:00
Arthur Baars
0b59e408ba Java: remove duplicate query 2021-06-28 12:29:54 +02:00
CodeQL CI
c02c96369d Merge pull request #6139 from erik-krogh/colors
Approved by esbena
2021-06-23 14:02:17 -07:00
yo-h
ffdc752720 Merge pull request #6059 from smowton/smowton/fix/qualified-name-generic-types
Adapt to static methods and nested types returning unbound declaring types
2021-06-23 14:45:51 -04:00
Tamás Vajk
8518e7c5a3 Merge pull request #6146 from tamasvajk/feature/stub-nhibernate
C#: Change nHibernate stub to nuget-based one
2021-06-23 18:00:45 +02:00
Tamás Vajk
4dc70fa959 Merge pull request #6145 from tamasvajk/feature/stub-jsonnet
C#: Change Newtonsoft.Json stub to nuget-based one
2021-06-23 18:00:27 +02:00
Chris Smowton
f6ba4e0235 Merge pull request #6142 from artem-smotrakov/better-spring-exporters
Added sinks for RmiBasedExporter and HessianExporter
2021-06-23 16:39:10 +01:00
CodeQL CI
469e709113 Merge pull request #6055 from RasmusWL/rsa-modeling
Approved by yoff
2021-06-23 08:35:25 -07:00
Chris Smowton
9c91d1a965 Add change note 2021-06-23 16:09:29 +01:00
Chris Smowton
74feaf2893 Adapt to static methods and nested types returning unbound declaring types
Previously these returned raw declaring types instead
2021-06-23 16:03:18 +01:00
Chris Smowton
b34448af87 {Generic,Parameterized,Raw}Type: implement getAPrimaryQlClass
An aid to debugging
2021-06-23 15:58:31 +01:00
Mathias Vorreiter Pedersen
9b8f558fb8 Merge pull request #6125 from MathiasVP/improve-tainted-arithmetic
C++: Add more barriers to `cpp/tainted-arithmetic`
2021-06-23 16:44:20 +02:00
Mathias Vorreiter Pedersen
295e022df3 Merge branch 'main' into improve-tainted-arithmetic 2021-06-23 15:45:18 +02:00
Ian Lynagh
089e4e2e1e Merge pull request #6147 from AlexDenisov/adjust_test_expectation
C++: Adjust test expectations after frontend upgrade
2021-06-23 14:43:47 +01:00
Alex Denisov
653afc8448 C++: Adjust test expectations after frontend upgrade 2021-06-23 14:39:16 +02:00
Mathias Vorreiter Pedersen
c44475458e Update cpp/ql/src/Security/CWE/CWE-190/Bounded.qll
Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
2021-06-23 14:38:36 +02:00
Erik Krogh Kristensen
dbc8b9cf6a autoformat 2021-06-23 14:21:15 +02:00
CodeQL CI
a86f50e091 Merge pull request #6135 from erik-krogh/chokidar
Approved by esbena
2021-06-23 05:16:06 -07:00
CodeQL CI
b66f4cb965 Merge pull request #6134 from erik-krogh/templates
Approved by asgerf, esbena
2021-06-23 05:09:23 -07:00
Tamas Vajk
f352bcb0a3 C#: Change nHibernate stub to nuget-based one 2021-06-23 13:55:19 +02:00
Tamas Vajk
1188e1b678 Fix extra constructor stubbing 2021-06-23 13:50:54 +02:00
Tamas Vajk
e200ecde4a C#: Change Newtonsoft.Json stub to nuget-based one 2021-06-23 13:49:11 +02:00
Rasmus Wriedt Larsen
0774e985ce Python: Apply suggestions from code review
Co-authored-by: yoff <lerchedahl@gmail.com>
2021-06-23 13:37:38 +02:00
Tamás Vajk
2dc0849b79 Merge pull request #5664 from tamasvajk/feature/stub-generation
C#: Stub generation
2021-06-23 13:33:10 +02:00
Artem Smotrakov
0dfb869c5b Apply suggestions from code review
Co-authored-by: Chris Smowton <smowton@github.com>
2021-06-23 13:23:54 +02:00
Mathias Vorreiter Pedersen
6379463bcf Merge branch 'main' into improve-tainted-arithmetic 2021-06-23 11:42:45 +02:00
Tamas Vajk
09dd615c6b Regenerate stubs (add System.Void struct) 2021-06-23 11:38:41 +02:00
Geoffrey White
298f70f082 Merge pull request #6120 from MathiasVP/not-overflow-is-barrier-in-cwe-190
C++: Recognize any non-overflowing arithmetic expression as a barrier for `cpp/uncontrolled-arithmetic`
2021-06-23 10:35:33 +01:00
Tamas Vajk
d698f0ae27 Fix VoidType handling 2021-06-23 11:30:47 +02:00
Mathias Vorreiter Pedersen
9b94f3a650 Merge branch 'main' into improve-tainted-arithmetic 2021-06-23 11:04:08 +02:00
Rasmus Wriedt Larsen
c0964617d7 Merge pull request #6111 from tausbn/python-a-few-minor-cleanups
Python: A few minor bits of cleanup
2021-06-23 10:42:41 +02:00
Erik Krogh Kristensen
6cf275bb36 update change-note
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
2021-06-23 10:42:26 +02:00
Erik Krogh Kristensen
700dfcc3a7 add comment about why colors/safe is not safe
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
2021-06-23 10:39:56 +02:00
Mathias Vorreiter Pedersen
a611e76ed2 C++: Respond to review comments. 2021-06-23 10:28:00 +02:00
Erik Krogh Kristensen
8b5c285ac8 add support for the chokidar library 2021-06-23 09:59:34 +02:00
Artem Smotrakov
14e724bce6 Added sinks for RmiBasedExporter and HessianExporter 2021-06-23 09:53:47 +02:00
Tamas Vajk
133d760659 Regenerate stubs to update nested class names in comments 2021-06-23 09:53:39 +02:00
Tamas Vajk
9ba1529f19 Fix nested class names in comments of stubs expected test file 2021-06-23 09:38:29 +02:00
Tamas Vajk
b40b6f40b6 Change frameworks folder to _frameworks 2021-06-23 09:26:55 +02:00
Tamas Vajk
5b2be8ce2d Fix code review findings 2021-06-23 09:26:55 +02:00
Tom Hvitved
026bcc72f2 C#: Improve performance of stubbing library 2021-06-23 09:26:54 +02:00
Tamas Vajk
405c008b47 Fix conversion operator stubbing + reduce skipped ctor noise in stubs 2021-06-23 09:26:54 +02:00
Tamas Vajk
e4b02e377c Add .net core and asp.net core stubs 2021-06-23 09:26:54 +02:00
Tamas Vajk
0f18fd6892 Adjust script to handle .net core framework reference 2021-06-23 09:26:54 +02:00
Tamas Vajk
4eee6ef1d9 Handle system.object missing base type 2021-06-23 09:26:54 +02:00
Tamas Vajk
97cd006b2c Add missing required private constructors 2021-06-23 09:26:54 +02:00
Tamas Vajk
d7a93a5367 Move default excluded assembly definition 2021-06-23 09:26:54 +02:00
Tamas Vajk
f597c9a7ed Handle special case of duplicate type constraints 2021-06-23 09:26:54 +02:00
Tamas Vajk
42fcfad0d8 Handle types defined in multiple assemblies 2021-06-23 09:26:54 +02:00
Tamas Vajk
22f3b05170 Handle all structs (simple types, intptr, system.void) 2021-06-23 09:26:54 +02:00
Tamas Vajk
914da6bdd2 Fix various stubbing issues 2021-06-23 09:26:54 +02:00
Tamas Vajk
fec0ddd2d2 Add test for tuples with arity < 2 2021-06-23 09:26:54 +02:00
Tamas Vajk
d7d653b9d2 Fix tuple stubbing with arity < 2 2021-06-23 09:26:54 +02:00
Tamas Vajk
2edfa15472 Reduce size of stubDefaultArguments predicate 2021-06-23 09:26:54 +02:00
Tamas Vajk
e93736f583 Change base class of GeneratedDeclaration to Modifiable 2021-06-23 09:26:54 +02:00
Tamas Vajk
53054290d1 Improve QL check for path match on netcore.app.ref in exluded assemblies 2021-06-23 09:26:54 +02:00
Tamas Vajk
a00c2ccf31 Remove _stub.cs file generation 2021-06-23 09:26:54 +02:00
Tamas Vajk
31795c3e6b Introduce test option to include files from projects 2021-06-23 09:26:54 +02:00
Tamas Vajk
cce7404470 Add csproj generation 2021-06-23 09:26:54 +02:00
Tamas Vajk
b725f6e547 Handle types that are defined in multiple assemblies 2021-06-23 09:26:54 +02:00
Tamas Vajk
ce214cfbf8 Split generated stubs to separate files 2021-06-23 09:26:53 +02:00
Tamas Vajk
88c97bd34e Generate stubs per assembly 2021-06-23 09:26:53 +02:00
Tamas Vajk
ba238578d1 Add stubbing tests 2021-06-23 09:26:53 +02:00
Tamas Vajk
7e7a52de3c Stub IndexerName attribute 2021-06-23 09:26:53 +02:00
Tamas Vajk
5e07d82b42 Stub unsafe modifier 2021-06-23 09:26:53 +02:00
Tamas Vajk
4e0bbffac4 Fix ExtraGeneratedConstructor to exclude static constructors and take into account generic derived classes 2021-06-23 09:26:53 +02:00
Tamas Vajk
e96754c2d5 Fix all remaining issues to stub entity framework core 2021-06-23 09:26:53 +02:00
Tamas Vajk
3e92be5324 Extract private/internal members from referenced assemblies + stub required non public constructors 2021-06-23 09:26:53 +02:00
Tamas Vajk
bd83f74dca Fix generic type constraint order 2021-06-23 09:26:53 +02:00
Tamas Vajk
9b6e9ab148 Escape field names 2021-06-23 09:26:53 +02:00
Tamas Vajk
3c3ddcc8fb Fix protected internal on override in the same assembly 2021-06-23 09:26:53 +02:00
Tamas Vajk
e6bfb0d1d2 Fix qualified name stubbing for nested types 2021-06-23 09:26:53 +02:00
Tamas Vajk
8cbdd30e1e Fix generic type constraint stubbing on overrides 2021-06-23 09:26:53 +02:00
Tamas Vajk
ff4db5b8d2 Fix abstract override member generation 2021-06-23 09:26:53 +02:00
Tamas Vajk
cda285de18 Use dotnet format to format the output stub file 2021-06-23 09:26:53 +02:00
Tamas Vajk
53655d4ae4 Only stub declarations from libraries 2021-06-23 09:26:53 +02:00
Tamas Vajk
eabf6b0be8 Only stub effectively public declarations 2021-06-23 09:26:53 +02:00
Tamas Vajk
66eca53b00 Fix accessibility modifier stubbing 2021-06-23 09:26:53 +02:00
Tamas Vajk
1aadd3f3d6 Fix constant value stubbing 2021-06-23 09:26:53 +02:00
Tamas Vajk
264d216a33 Generate stub for nested classes 2021-06-23 09:26:53 +02:00
Tamas Vajk
27608b3b38 Add support for event stubbing 2021-06-23 09:26:53 +02:00
Tamas Vajk
85b3ec6096 Add support for base ctor calls in stubbing 2021-06-23 09:26:53 +02:00
Tamas Vajk
7bf1794310 Add support for delegate stubbing 2021-06-23 09:26:53 +02:00
Tamas Vajk
a273f88a51 Add support for explicitly implemented indexers 2021-06-23 09:26:53 +02:00
Tamas Vajk
481ae0ff19 Exclude default struct constructors from stubs 2021-06-23 09:26:53 +02:00
Tamas Vajk
3f0a158b3c Add query to select all public declarations from target assemblies 2021-06-23 09:26:53 +02:00
Tamas Vajk
bfa9bf33c0 C#: Add nuget based stubbing script 2021-06-23 09:26:53 +02:00
Erik Krogh Kristensen
fa02651542 add taint step through the strip-ansi library 2021-06-23 09:13:03 +02:00
Erik Krogh Kristensen
fe76341820 add taint step through the chalk library 2021-06-23 09:12:48 +02:00
Erik Krogh Kristensen
053d9b5564 add taint step through the kleur library 2021-06-23 09:12:25 +02:00
Tamás Vajk
fa215bcda5 Merge pull request #6132 from tamasvajk/fix/coverage-commenter-base
Fix framework coverage commenter to use merge commit parent instead o…
2021-06-23 08:12:07 +02:00
CodeQL CI
37b66f9045 Merge pull request #6117 from asgerf/js/sharpen-match-calls
Approved by esbena
2021-06-22 22:52:37 -07:00
Erik Krogh Kristensen
6e2b92468f add taint step through the slice-ansi library 2021-06-22 23:14:14 +02:00
Erik Krogh Kristensen
35c513d38a add taint step through the cli-color library 2021-06-22 23:10:40 +02:00
Erik Krogh Kristensen
ec9c885908 add taint step through the cli-highlight library 2021-06-22 23:06:50 +02:00
Erik Krogh Kristensen
d114cdc6e5 add taint step through the colorette library 2021-06-22 23:02:01 +02:00
Erik Krogh Kristensen
e4427bb34a add taint step through the wrap-ansi library 2021-06-22 22:59:03 +02:00
Erik Krogh Kristensen
626a653401 add taint step through the colors library 2021-06-22 22:55:15 +02:00
Erik Krogh Kristensen
a21ebbbe8f add taint step through the ansi-colors library 2021-06-22 22:47:58 +02:00
CodeQL CI
d719a1e627 Merge pull request #6114 from erik-krogh/promisify
Approved by esbena
2021-06-22 12:19:38 -07:00
Erik Krogh Kristensen
2ba2642c7a add more template sinks for the js/code-injection query 2021-06-22 20:24:42 +02:00
CodeQL CI
bde1bb4030 Merge pull request #6126 from erik-krogh/dates
Approved by esbena
2021-06-22 10:35:51 -07:00
Taus
317c6867aa Python: Fix sneaky semantic change
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-06-22 16:46:54 +02:00
CodeQL CI
eb95dff746 Merge pull request #6129 from erik-krogh/ReDoSCWE
Approved by esbena
2021-06-22 07:02:39 -07:00
Shati Patel
396de59ad7 Merge pull request #6131 from erik-krogh/toUnicodeDoc
mention the new `toUnicode` method in the QL language specification
2021-06-22 14:36:16 +01:00
Erik Krogh Kristensen
062502fecc add back support for util-promisifyall 2021-06-22 15:34:51 +02:00
Tamas Vajk
870e4125dc Fix framework coverage commenter to use merge commit parent instead of (old) base repo SHA 2021-06-22 13:24:26 +02:00
Erik Krogh Kristensen
3bdd9f7a30 mention the new toUnicode method in the QL language specification 2021-06-22 13:13:30 +02:00
Tom Hvitved
38a38fd2c1 Merge pull request #6003 from hvitved/csharp/external-summaries
C#: CSV-based flow summaries
2021-06-22 12:59:44 +02:00
Asger Feldthaus
16e3681fd3 JS: Update RegExpInjection test case 2021-06-22 12:00:04 +02:00
Anders Schack-Mulligen
206a37cf08 Merge pull request #6130 from aschackmull/java/collection-test
Java: Improve test and fix a few missing cases.
2021-06-22 11:56:44 +02:00
Erik Krogh Kristensen
4360e5dcbc add model of the thenify library 2021-06-22 11:55:58 +02:00
Erik Krogh Kristensen
61cc415a32 add model of the util.promisify library 2021-06-22 11:55:58 +02:00
Erik Krogh Kristensen
2f3ea4412f add model of the pify library 2021-06-22 11:55:54 +02:00
Rasmus Wriedt Larsen
5db627042f Merge pull request #6091 from tausbn/python-exclude-main-py-files
Python: Avoid `__main__.py` files as entry points.
2021-06-22 11:29:02 +02:00
Rasmus Wriedt Larsen
e05d6e71b8 Merge pull request #6064 from tausbn/python-add-get-method-call
Python: Add `getAMethodCall` to `LocalSourceNode`
2021-06-22 11:16:39 +02:00
Anders Schack-Mulligen
38fc8a750c Java: Improve test and fix a few missing cases. 2021-06-22 11:16:02 +02:00
Jonas Jensen
ae296fc6db Merge pull request #6101 from github/AlonaHlobina-patch-3
Adding C++20 Beta support.rst
2021-06-22 11:02:15 +02:00
Erik Krogh Kristensen
c736606695 add support for moment/dayjs/luxon instances returned by @date-io adapters 2021-06-22 10:42:24 +02:00
Erik Krogh Kristensen
f2ca2134d1 refactor promisify models into a module 2021-06-22 10:40:22 +02:00
Erik Krogh Kristensen
a4303bc81d add CWE-1333 to the JS ReDoS queries 2021-06-22 10:24:56 +02:00
AlonaHlobina
2a9d0009be Update versions-compilers.rst 2021-06-22 10:36:19 +03:00
Erik Krogh Kristensen
227f61b954 add model for the luxon library 2021-06-21 23:29:12 +02:00
Erik Krogh Kristensen
cdf3cdcf71 add model for the formatByString and formatByNumber functions in @date-io 2021-06-21 23:29:01 +02:00
Erik Krogh Kristensen
2a4570eaaa add model for the dayjs library 2021-06-21 23:28:45 +02:00
Taus
ba6ab8ff3d Python: Expand __main__.py comment
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
2021-06-21 18:14:03 +02:00
Taus
768cab3642 Python: Address review comments
- changes `getReceiver` to `getObject`
- fixes `calls` to avoid unwanted cross-talk
- adds some more documentation to highlight the above issue
2021-06-21 14:57:19 +00:00
Mathias Vorreiter Pedersen
3bc6b11ae5 C++: Share the 'bounded' predicate from 'cpp/uncontrolled-arithmetic' and use it in 'cpp/tainted-arithmetic'. 2021-06-21 16:38:17 +02:00
Mathias Vorreiter Pedersen
05389bb9d4 Merge pull request #6099 from geoffw0/weak-crypto3
Further improvements to cpp/weak-cryptographic-algorithm
2021-06-21 15:46:50 +02:00
CodeQL CI
565af1a879 Merge pull request #6071 from RasmusWL/fix-input-cwe
Approved by calumgrant, tausbn
2021-06-21 06:23:18 -07:00
Geoffrey White
05ed4ed739 Update cpp/change-notes/2021-06-21-weak-cryptographic-algorithm.md
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
2021-06-21 14:22:56 +01:00
AlonaHlobina
281a619646 Merge branch 'main' into AlonaHlobina-patch-3 2021-06-21 16:22:10 +03:00
yoff
baf8d0a990 Merge pull request #6045 from RasmusWL/twisted
Python: Model twisted
2021-06-21 14:52:57 +02:00
Anders Schack-Mulligen
14b485efa4 Merge pull request #6119 from smowton/smowton/fix/jaxrs-tests-field-flow
Increase field flow branch limit in Jax-RS tests
2021-06-21 14:43:59 +02:00
Mathias Vorreiter Pedersen
238c483e5b C++: Make any non-overflowing arithmetic operation a barrier. 2021-06-21 14:05:34 +02:00
Mathias Vorreiter Pedersen
18e5d3cce8 C++: Add false positive with multiplication. 2021-06-21 14:04:27 +02:00
Chris Smowton
e2aaae8181 Increase test fieldFlowBranchLimit to 1000
Might as well head off future failures in this test

Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2021-06-21 12:51:37 +01:00
Chris Smowton
c5eef7be8c Increase field flow branch limit in Jax-RS tests
This fixes apparently-missing results by allowing the dataflow library to persist even when there are many Map implementations possibly available.
2021-06-21 12:46:13 +01:00
Geoffrey White
6f808c9e4c C++: Update change note. 2021-06-21 12:32:48 +01:00
Geoffrey White
79198974dc Merge branch 'main' into weak-crypto3 2021-06-21 11:55:29 +01:00
Anders Schack-Mulligen
9110dfaeb3 Merge pull request #6095 from hvitved/dataflow/local-cc-join
Data flow: Fix `getLocalCallContext` join-order
2021-06-21 12:53:38 +02:00
Geoffrey White
90e2a2d222 C++: Change note. 2021-06-21 11:30:12 +01:00
Asger Feldthaus
0754ed2b5c JS: Change note 2021-06-21 11:46:44 +02:00
Rasmus Wriedt Larsen
d6ec4d30fc Python: Twisted refactor of getRequestParamIndex 2021-06-21 10:54:28 +02:00
Rasmus Wriedt Larsen
8208aebd7e Python: Apply suggestions from code review
Co-authored-by: yoff <lerchedahl@gmail.com>
2021-06-21 10:43:25 +02:00
Shati Patel
bbb5a39c02 Merge pull request #6072 from shati-patel/shati-patel/vs-code-setting
[Already shipped] Docs: Update setting in CodeQL for VS Code
2021-06-21 08:34:14 +01:00
Taus
3aea270e10 Python: Autoformat 2021-06-18 18:30:27 +00:00
yo-h
26a04d6659 Merge pull request #6108 from tamasvajk/fix/coverage-commenter
Fix diff in the framework coverage PR comment
2021-06-18 14:02:15 -04:00
Taus
aeac03663f Python: Remove old ClickHouseDriver.qll
The merge must've gone wrong some way, as this file is not supposed to
exist in `experimental` anymore.
2021-06-18 17:41:09 +00:00
Taus
348b20ca9d Merge branch 'main' of https://github.com/github/codeql into python-a-few-minor-cleanups 2021-06-18 17:38:43 +00:00
Taus
9351688da8 Python: asCfgNode cleanup 2021-06-18 17:22:42 +00:00
Taus
c386f4a009 Python: Clean up py/insecure-protocol
Going all the way to the AST layer seemed excessive to me, so I rewrote
it to do most of the logic at the data-flow layer. In principle this
_could_ result in more names being computed (due to splitting), but in
practice I don't expect this make a big difference.
2021-06-18 17:22:42 +00:00
Taus
f24a9a46d9 Python: add getAnAttributeWrite 2021-06-18 17:22:42 +00:00
Taus
c78ba476cf Python: Clean up a few verbose casts 2021-06-18 17:22:42 +00:00
Tamas Vajk
b3f44f457a Fix diff in the framework coverage PR comment 2021-06-18 16:33:50 +02:00
Mathias Vorreiter Pedersen
17df8e44d0 C++: Convert 'cpp/tainted-arithmetic' to a 'path-problem' query. 2021-06-18 14:56:17 +02:00
AlonaHlobina
ac35438b5f Update versions-compilers.rst 2021-06-18 15:35:37 +03:00
CodeQL CI
081fd28090 Merge pull request #6102 from RasmusWL/js-qhelp-fixup
Approved by erik-krogh
2021-06-18 04:52:48 -07:00
Chris Smowton
6302187a5d Merge pull request #5957 from haby0/java/BeanShellInjection
Java: BeanShell Injection
2021-06-18 12:38:51 +01:00
Jonas Jensen
f829fff2ad Merge pull request #6100 from github/AlonaHlobina-patch-2
Update C/C++ Clang and GCC versions.rst
2021-06-18 13:10:29 +02:00
AlonaHlobina
288a314108 Update versions-compilers.rst 2021-06-18 13:35:11 +03:00
Rasmus Wriedt Larsen
968a0921d4 JS: Fix secure example inclusion in InsecureDownload.qhelp 2021-06-18 12:12:06 +02:00
Anders Schack-Mulligen
7eb6da3888 Merge pull request #5772 from smowton/smowton/feature/apache-tuple-flow
Add models for Apache Commons Lang's tuple types
2021-06-18 11:25:07 +02:00
AlonaHlobina
bd820458f5 Update docs/codeql/support/reusables/versions-compilers.rst
Co-authored-by: Jonas Jensen <jbj@github.com>
2021-06-18 12:24:34 +03:00
haby0
a73cb3f04a Fix error 2021-06-18 17:22:26 +08:00
CodeQL CI
1ffd9c9ba7 Merge pull request #6086 from asgerf/js/knex
Approved by esbena
2021-06-18 01:58:21 -07:00
Calum Grant
32f6a465b0 Merge pull request #6080 from github/calumgrant/security-severities
Update security-severity scores
2021-06-18 09:40:40 +01:00
Tom Hvitved
eb86bceb4d Address review comments 2021-06-18 10:18:47 +02:00
AlonaHlobina
9c5ba8d4f6 Adding C++20 Beta support.rst 2021-06-18 10:56:11 +03:00
haby0
0d18e4ff9c BeanShell Injection 2021-06-18 15:54:13 +08:00
AlonaHlobina
9feda2ddd6 Update C/C++ Clang and GCC versions.rst 2021-06-18 10:46:22 +03:00
Tamás Vajk
0545bcfbd2 Merge pull request #6028 from github/tamasvajk/feature/csv-coverage-report-comment
Add CSV coverage PR commenter
2021-06-18 09:32:45 +02:00
Tom Hvitved
66e4940ac3 C#: Remove bad magic 2021-06-17 20:47:20 +02:00
Tom Hvitved
d5163ca244 C#: Cache NamedElement::hasQualifiedName/2 2021-06-17 20:47:07 +02:00
Geoffrey White
b4cbe6dce8 C++: Increase query precision to high. 2021-06-17 14:33:17 +01:00
Geoffrey White
b5c71fd1d7 C++: Repair funcion call in a function call. 2021-06-17 14:33:16 +01:00
Geoffrey White
e5147c2a1f C++: Exclude functions that don't involve buffers. 2021-06-17 14:33:16 +01:00
Tom Hvitved
eca11f1b40 C#: Adjust getQualifiedName for type parameters 2021-06-17 14:47:19 +02:00
Chris Smowton
64001cc02c Merge pull request #5587 from smowton/smowton/admin/promote-ssrf-query
Promote SSRF query from experimental
2021-06-17 13:02:33 +01:00
Chris Smowton
d28c95d16c Field foo of -> Field[foo] of 2021-06-17 12:49:25 +01:00
Chris Smowton
74b2a2c7a6 Improve style of interpretField 2021-06-17 12:45:44 +01:00
Geoffrey White
a481e5c292 C++: Exclude template code. 2021-06-17 12:36:14 +01:00
Geoffrey White
8efdf359dc C++: Fix some incorrect uses of 'const' in the tests. 2021-06-17 12:36:13 +01:00
Geoffrey White
3641cdcc1f C++: Add a test case involving an array. 2021-06-17 12:36:09 +01:00
Chris Smowton
5cf0243dd0 Add change note 2021-06-17 12:34:40 +01:00
Chris Smowton
2cc1f46871 Model constructors for (Imm|M)utable(Pair|Triple) 2021-06-17 12:34:40 +01:00
Chris Smowton
fbaa382158 Add tests for Pair.of and Triple.of 2021-06-17 12:34:40 +01:00
Chris Smowton
eebaab8fe9 Order left and right consistently 2021-06-17 12:34:40 +01:00
Chris Smowton
365aab9bd9 Improve matching of Field specifiers; add Field recognition in tests 2021-06-17 12:34:36 +01:00
Geoffrey White
23db21cd90 C++: Test spacing. 2021-06-17 12:33:31 +01:00
Chris Smowton
472a2a64dd Add models for Apache Commons tuples 2021-06-17 12:25:21 +01:00
Chris Smowton
73fa680224 Add support for CSV-specified flow to or from fields. 2021-06-17 12:24:28 +01:00
Geoffrey White
d590952aaa C++: Add a test case involving nested function calls. 2021-06-17 12:23:18 +01:00
Geoffrey White
7632c9edb5 C++: Add test cases involving strings and comparisons. 2021-06-17 12:23:17 +01:00
Geoffrey White
2e236dd2a9 C++: Add a test case involving a harmless assert. 2021-06-17 12:23:17 +01:00
Geoffrey White
dca397dfb1 C++: Add a test case with a template class. 2021-06-17 12:23:16 +01:00
Tamas Vajk
07b83d5dc1 Remove commented code 2021-06-17 13:04:39 +02:00
Tamás Vajk
c532db58fd Apply suggestions from code review
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
2021-06-17 13:04:39 +02:00
Tamas Vajk
e61f725196 Apply code review findings 2021-06-17 13:04:39 +02:00
Tamas Vajk
4abaa7870f Add CSV coverage PR commenter 2021-06-17 13:04:39 +02:00
Tamás Vajk
200126b302 Merge pull request #6008 from github/tamasvajk/feature/csv-coverage-report
Add timeseries CSV generator script
2021-06-17 13:03:41 +02:00
Chris Smowton
11b70326fd Add Jakarta WS url-open sink 2021-06-17 11:58:41 +01:00
Chris Smowton
da1e760269 Adjust Spring models to use erased function signatures 2021-06-17 11:43:33 +01:00
Chris Smowton
1176fec287 Improve docs
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2021-06-17 11:43:33 +01:00
Chris Smowton
09f27554d0 Note incidental extra models in change note 2021-06-17 11:43:33 +01:00
Chris Smowton
7509e36382 Remove no-longer-needed BasicRequestLine model from InsecureBasicAuth.ql; adjust test expectations accordingly 2021-06-17 11:43:33 +01:00
Chris Smowton
c531b81ebe Rename RequestForgery.java -> SanitizationTests.java 2021-06-17 11:43:33 +01:00
Chris Smowton
cb99e17f4d Split and rename JavaNetHttp and ApacheHttp tests for consistency 2021-06-17 11:43:32 +01:00
Chris Smowton
6c4a909b86 Remove dead code from test 2021-06-17 11:43:32 +01:00
Chris Smowton
08ab5f5546 Remove redundant test 2021-06-17 11:43:32 +01:00
Chris Smowton
74569ce316 Tidy Jax-RS test 2021-06-17 11:43:32 +01:00
Chris Smowton
57ca36baad Tidy Spring test 2021-06-17 11:43:32 +01:00
Chris Smowton
8b080a94e7 Convert request forgery tests to inline expectations; add missing models revealed by this process. 2021-06-17 11:43:32 +01:00
Chris Smowton
b66dcbe5b6 Factor request-forgery config so it can be used in an inline-expectations test 2021-06-17 11:43:32 +01:00
Chris Smowton
ee872f1752 Add missing tests, add additional models revealed missing in the process, and add stubs to support them all. 2021-06-17 11:43:32 +01:00
Chris Smowton
49bbfc3f4b Convert SSRF sinks into url-open CSV sinks
I also drop the previous approach of taint-tracking through various builder objects in favour of assuming that a URI set in a request-builder object is highly likely to end up requested in some way or another.

This will cause the `java/non-https-url` query to pick the new sinks up too, and fixes a Spring case that had never worked but went unnoticed until now.
2021-06-17 11:43:30 +01:00
Chris Smowton
0f2139ff5d Fix and document one-based argument indexing in StringFormat's getAnArgUsageOffset 2021-06-17 11:41:06 +01:00
Chris Smowton
55c72cebf2 Improve StringBuilder append chain tracking
Previously this didn't catch the case of constructors chaining directly into appends, like `StringBuilder sb = new StringBuilder("1").append("2")`
2021-06-17 11:41:06 +01:00
Chris Smowton
5b25694a52 Simplify and improve AddExpr logic
The improvement is in considering (userSupplied + "/") itself a sanitising prefix.
2021-06-17 11:41:06 +01:00
Chris Smowton
6b76f42d22 Broaden PrimitiveSanitizer to include boxed primitives and other java.lang.Numbers 2021-06-17 11:41:06 +01:00
Chris Smowton
3167af29bd Tidy and remove catersian product from getUrlArgument 2021-06-17 11:41:05 +01:00
Chris Smowton
f388aae78e Fix getAnArgUsageOffset and improve its space complexity
Also add tests checking the output of the new function
2021-06-17 11:41:05 +01:00
Chris Smowton
0db5484399 Copyedit documentation
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2021-06-17 11:41:05 +01:00
Chris Smowton
1549993565 Update test results to account for changed model structure
(Models now have internal nodes in order to allow field flow through them)
2021-06-17 11:41:05 +01:00
Chris Smowton
8d70e3d22e Fix casing of change note 2021-06-17 11:41:05 +01:00
Chris Smowton
9138d2b8f5 Improve comment casing
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
2021-06-17 11:41:05 +01:00
Chris Smowton
b25e8671b9 Java SSRF query: comment on sanitizing regex 2021-06-17 11:41:05 +01:00
Chris Smowton
a665d5d111 Improve RequestForgery.qhelp recommendation 2021-06-17 11:41:05 +01:00
Chris Smowton
0d9a6e2b61 Update java/ql/src/semmle/code/java/security/RequestForgery.qll
SpringRestTemplateUrlMethods -> SpringRestTemplateUrlMethod
2021-06-17 11:41:05 +01:00
Chris Smowton
fb2989c16b Copyedit comments and function names
Co-authored-by: Felicity Chapman <felicitymay@github.com>
2021-06-17 11:41:04 +01:00
Chris Smowton
960a903185 Java SSRF query: document RequestForgeryAdditionalTaintStep and use Unit not string for a supertype. 2021-06-17 11:41:04 +01:00
Chris Smowton
575198a0e4 Java SSRF query: Server Side -> Server-Side everywhere. 2021-06-17 11:41:04 +01:00
Chris Smowton
7899e17f3a Java SSRF query: move RequestForgery qll file into semmle/code hierarchy
This makes it importable by people wishing to extend the query.
2021-06-17 11:41:04 +01:00
Chris Smowton
532a10bfdf Java SSRF query: Provide hook for custom taint-propagating steps; make all default sinks/sanitizers/steps private. 2021-06-17 11:41:04 +01:00
Chris Smowton
5bdd9da27a Java SSRF query: credit original author 2021-06-17 11:41:04 +01:00
Chris Smowton
e8613367e8 Java SSRF query: copyedit qhelp 2021-06-17 11:41:04 +01:00
Chris Smowton
3333e7d186 Java SSRF query: sanitize primitives
Even 'char' isn't a realistic vector for an exploit, unless somebody is copying out a string char by char.
2021-06-17 11:41:04 +01:00
Chris Smowton
93a9f471ce Add change note 2021-06-17 11:41:04 +01:00
Chris Smowton
77904d9597 Remove failing test
The case where something might be exactly a constant is general across all queries, and not handled yet, particularly in the case where the result of `getParameter("uri")` might have changed between the check and the use.
2021-06-17 11:41:04 +01:00
Chris Smowton
6933d06a46 Add exactly the string '/' as a sanitizing prefix.
Usually this is ignored for suspicion that it could be taken for a protocol specifier, but on balance the context `(something) + "/" + tainted()` is more likely to be taken for a user-controlled location within a host the user does not control.
2021-06-17 11:41:03 +01:00
Chris Smowton
bc43b6d760 Fix typo 2021-06-17 11:41:03 +01:00
Chris Smowton
e6249eed79 Add doc comments 2021-06-17 11:41:03 +01:00
Chris Smowton
26e10f3ad5 SSRF: don't consider results of fetches we initiated to be untrustworthy 2021-06-17 11:41:03 +01:00
Chris Smowton
c63d5986cf Sanitize StringBuilder appends that follow directly from a constructor.
Note that some of this logic ought to be incorporated into StringBuilderVar once that code can be reviewed.
2021-06-17 11:41:03 +01:00
Chris Smowton
b5a450b881 SSRF query: add sanitizer looking for a variety of ways of prepending a sanitizing prefix, such as one that restricts the hostname a URI will refer to. 2021-06-17 11:41:03 +01:00
Chris Smowton
487c1db6ed Promote SSRF query to main query set 2021-06-17 11:41:01 +01:00
Anders Schack-Mulligen
6ca8d69b26 Merge pull request #5881 from haby0/java/UnsafeDeserialization
Java: CWE-502 Add UnsafeDeserialization sinks
2021-06-17 12:36:34 +02:00
Anders Schack-Mulligen
8fe2f4a554 Merge pull request #6034 from owen-mc/java/jax-rs
Improve JAX-WS and JAX-RS models
2021-06-17 12:35:34 +02:00
Anders Schack-Mulligen
b173b4141d Merge pull request #6096 from smowton/smowton/fix/inline-expectations-missing-prefix
Inline expectation tests: accept // $MISSING: and // $SPURIOUS:
2021-06-17 11:41:15 +02:00
haby0
363ad5b470 Fix error 2021-06-17 17:36:35 +08:00
Owen Mansel-Chan
945db01f56 Address review comments 2021-06-17 10:29:33 +01:00
Owen Mansel-Chan
b9bc1f978c Update style of inline expectation comments 2021-06-17 10:04:15 +01:00
Chris Smowton
558813acf7 Inline expectation tests: accept // $MISSING: and // $SPURIOUS:
Previously there had to be a space after the $ token, unlike ordinary expectations (i.e., // $xss was already accepted)
2021-06-17 09:44:39 +01:00
Owen Mansel-Chan
0987425f94 Reinstate failing tests with MISSING: prefix 2021-06-17 09:36:51 +01:00
Tom Hvitved
0febf5a592 Merge pull request #6094 from hvitved/dataflow/consistency-compiler-too-smart
Data flow: Workaround for too clever compiler in consistency queries
2021-06-17 10:23:31 +02:00
Tom Hvitved
ffb2350a54 Data flow: Fix getLocalCallContext join-order 2021-06-17 10:02:31 +02:00
Tom Hvitved
cc383e0f6a Data flow: Workaround for too clever compiler in consistency queries 2021-06-17 09:43:36 +02:00
haby0
3dd851fffb expected 2021-06-17 15:20:03 +08:00
Owen Mansel-Chan
5f82993b0b Put parameters with inline expectation comments on their own lines 2021-06-17 06:41:01 +01:00
Tom Hvitved
3f6beaf9df C#: Add tests for complex CSV flow summaries 2021-06-16 19:36:05 +02:00
Tom Hvitved
0af44a7f94 C#: Changes to Type::{getQualifier,hasQualifiedName} 2021-06-16 19:36:05 +02:00
CodeQL CI
bcafe532ac Merge pull request #5944 from RasmusWL/async-api-graph-tests
Approved by tausbn
2021-06-16 08:46:26 -07:00
CodeQL CI
9b84a8e146 Merge pull request #6048 from erik-krogh/graphql
Approved by esbena
2021-06-16 06:35:42 -07:00
Tom Hvitved
8866e6c969 C#: Always use fully qualified names in CSV data-flow summaries 2021-06-16 14:09:45 +02:00
Tom Hvitved
def3d6bac4 C#: CSV-based flow summaries 2021-06-16 14:09:45 +02:00
Owen Mansel-Chan
5d00bb23e4 Move logic for URL redirection sinks 2021-06-16 12:48:11 +01:00
yoff
0ddeb7a8c1 Merge pull request #5950 from RasmusWL/promote-clickhouse
Python: Promote ClickHouse SQL models
2021-06-16 13:38:41 +02:00
Taus
e647403948 Python: Avoid __main__.py files as entry points.
According to the official documentation, the purpose of `__main__.py`
files is that their presence in a package (say, `foo`) means one can
execute the package directly using `python -m foo` (which will run the
aforementioned `foo/__main__.py` file).

In principle this means that adding `if __name__ == "__main__"` in these
files is superfluous, as they are only intended to be executed (and not
imported by some other file).

However, in practice people often _do_ include the above construct.
Here are some instances of this on LGTM.com:
https://lgtm.com/query/7521266095072095777/

In particular, 10 out of 33 files in `cpython` have this construct.

This causes some confusion in our module naming, as we usually see the
presence of `__name__ == "__main__"` as an indication that a file may
be run directly (and hence with "absolute import" semantics). However,
when run with `python -m`, the interpreter uses the usual package
semantics, and this leads to modules getting multiple names.

For this reason, I think it makes sense to simply exclude `__main__.py`
files from consideration. Note that if there is a `#!` line mentioning
the Python interpreter, then they will still be included as entry
points.
2021-06-16 10:59:56 +00:00
Tamás Vajk
eaa69dfa5d Merge pull request #6084 from tamasvajk/feature/effective-publicness
C#: Fix isEffectively* visibility predicates
2021-06-16 12:52:38 +02:00
Anders Schack-Mulligen
75d5fe67ea Merge pull request #6090 from atorralba/atorralba/move-httpsurls-tests
Java: Move/tweak some tests
2021-06-16 12:00:55 +02:00
Tamas Vajk
28ef0e86f6 Apply code review findings 2021-06-16 10:51:52 +02:00
Tamas Vajk
c5b8acf216 Add change notes 2021-06-16 10:51:52 +02:00
Tamas Vajk
db8a777aa9 Fix isEffectively* predicates to members extracted from multiple assemblies 2021-06-16 10:51:52 +02:00
Tamas Vajk
77f8f3fa8a Adjust comments on isEffectively* 2021-06-16 10:51:52 +02:00
Tamas Vajk
eea96a5585 Fix effective publicness of protected private and protected internal 2021-06-16 10:51:52 +02:00
Tamas Vajk
f715445c7a Fix effective privateness of explicitly implemented members 2021-06-16 10:51:08 +02:00
Tamas Vajk
a24006239b C#: Add more tests to effective visibility 2021-06-16 10:50:15 +02:00
Taus
96d8fc78f8 Merge pull request #6078 from hvitved/type-tracker-caching
Python: Move cached predicates in type tracker library to same stage
2021-06-16 10:45:02 +02:00
Tamás Vajk
9f44bc575f Merge pull request #6089 from tamasvajk/feature/interface-member-modifier
C#: Allow abstract modifier on interface members
2021-06-16 10:44:43 +02:00
haby0
c1ada6d85b Merge branch 'main' into java/UnsafeDeserialization 2021-06-16 16:37:03 +08:00
Tamás Vajk
386d88ab93 Merge pull request #6085 from tamasvajk/feature/unsafe
C#: Fix `Modifiable::isUnsafe` to handle declarations extracted from assemblies
2021-06-16 10:30:09 +02:00
Tony Torralba
e2918d55b5 Move tests back from internal repo 2021-06-16 10:09:44 +02:00
Tamas Vajk
66835651fe C#: Allow abstract modifier on interface members 2021-06-16 09:56:36 +02:00
Tamas Vajk
dacb044790 C#: Add tests for abstract/virtual modifier of interface members 2021-06-16 09:54:34 +02:00
Asger Feldthaus
5838e54a46 JS: Sharpen recognition of string 'match' calls 2021-06-16 09:27:02 +02:00
haby0
9badd7aa27 change name 2021-06-16 11:29:37 +08:00
Taus
359bc5eff9 Python: Autoformat 2021-06-15 15:56:40 +00:00
Tamas Vajk
74c4765ab9 Add change note 2021-06-15 17:30:48 +02:00
Tamas Vajk
44b30b70da C#: Fix Modifiable::isUnsafe to handle declarations extracted from assemblies 2021-06-15 17:30:48 +02:00
Asger Feldthaus
af9cc07066 JS: Change note 2021-06-15 17:19:39 +02:00
Asger Feldthaus
9f052a2ecd JS: Add Knex model 2021-06-15 17:19:39 +02:00
CodeQL CI
847faf536d Merge pull request #6070 from asgerf/js/script-with-tsx-lang
Approved by erik-krogh
2021-06-15 08:17:53 -07:00
Taus
b55c034502 Python: Fix up getAMethodCall
Now that we have a `MethodCallNode` class, it would be silly not to use
that as the return type.
2021-06-15 15:13:54 +00:00
Taus
92063dc191 Python: Add change note 2021-06-15 15:13:03 +00:00
Taus
41ee325bc9 Python: Clean up Stdlib.qll
Not as many opportunities to clean stuff up here.
2021-06-15 15:04:30 +00:00
Taus
e90ec807ef Python: Clean up Ssl.qll 2021-06-15 15:04:29 +00:00
Taus
82fab3ba75 Python: Clean up Cryptography.qll 2021-06-15 15:04:29 +00:00
Taus
d4b05547ba Python: Add MethodCallNode class
Roughly patterned after the JS equivalent.
2021-06-15 15:04:29 +00:00
Calum Grant
771e686946 Update security-severity scores 2021-06-15 13:25:17 +01:00
Tom Hvitved
c03ee32f02 Python: Move cached predicates in type tracker library to same stage 2021-06-15 13:42:43 +02:00
Tamas Vajk
255e422172 Apply code review findings 2021-06-15 11:35:10 +02:00
Rasmus Wriedt Larsen
00af18a622 Python: Autoformat 2021-06-15 11:31:38 +02:00
Rasmus Wriedt Larsen
156b10cb59 Merge branch 'main' into promote-clickhouse 2021-06-15 11:30:19 +02:00
Erik Krogh Kristensen
60920c1ecc require that the URL refers to graphql in some way 2021-06-15 09:53:32 +02:00
Erik Krogh Kristensen
416c986cbc add support for graphql in @actions/github 2021-06-15 09:43:11 +02:00
Asger Feldthaus
53bef94b75 JS: Extractor version bump 2021-06-15 09:34:54 +02:00
shati-patel
17f9aecab8 Docs: Update setting in CodeQL for VS Code 2021-06-14 13:38:06 +01:00
Rasmus Wriedt Larsen
4eed94a262 Python: Fix CWE tag for py/use-of-input
So it better matches what is in `py/code-injection`. I had my doubts
about CWE-95, but after reading
https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection
I think it's fine to add CWE-95 as well 👍

Definitions are:

CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated
Code ('Eval Injection')
2021-06-14 14:08:34 +02:00
Asger Feldthaus
c58942092f JS: Add change note 2021-06-14 13:43:11 +02:00
Asger Feldthaus
bc375196d1 JS: Extract script tags with lang=tsx 2021-06-14 13:40:53 +02:00
Owen Mansel-Chan
5e89fce734 Avoid strange bug by commenting out two tests 2021-06-14 10:57:28 +01:00
Owen Mansel-Chan
8cf47f12b4 Model constructors of classes implementing MultivaluedMap 2021-06-14 10:56:35 +01:00
Taus
6333752014 Python: Add getAMethodCall to LocalSourceNode
This seems like something we have been missing for a while now, so I
figured it might be useful to add. It is roughly based on the JavaScript
equivalent, with one major difference: in the JavaScript libraries,
`getAMethodCall` is reserved for syntactic method calls (`obj.m(...)`)
whereas `getAMemberInvocation` is used for both this and the case where
the bound method `obj.m` is stored in a temporary variable and then
subsequently invoked in the same local scope.

It seems to me that the more general predicate is more useful, and hence
should have the simpler name. (And also we don't really work with a
notion of "invocation" in the Python libraries, so we would need a
better name for it anyway.)

I think as long as the documentation makes the behaviour clear, it
should be okay.
2021-06-11 21:26:58 +00:00
Rasmus Wriedt Larsen
6f29b01abc Python: Model rsa 2021-06-11 11:23:06 +02:00
Rasmus Wriedt Larsen
40714c05b7 Python: Add tests for rsa PyPI package 2021-06-11 11:17:13 +02:00
Erik Krogh Kristensen
50d574d20d add graphql injection to the sql-injection query 2021-06-10 21:01:54 +02:00
Tamas Vajk
916780a452 Fix codeql CLI path 2021-06-10 15:07:54 +02:00
Owen Mansel-Chan
e0130a932e Update experimental query using NewCookie 2021-06-10 13:33:20 +01:00
Owen Mansel-Chan
c173b89529 Model NewCookie 2021-06-10 13:32:39 +01:00
Owen Mansel-Chan
ee6019a2d8 Fix tests for experimental httponly query 2021-06-10 13:31:28 +01:00
Owen Mansel-Chan
d5d27d5ccf Duplicate tests for Jakarta 2021-06-10 10:43:40 +01:00
Owen Mansel-Chan
0ad35421f2 Comment out stubs (Jakarta) 2021-06-10 10:43:40 +01:00
Owen Mansel-Chan
318d1ea484 Stubs in javax-ws-rs-api-3.0.0
Generated using java-autostub
2021-06-10 10:43:39 +01:00
Owen Mansel-Chan
e6a6a8898b Move Jax XSS sinks to JaxWS.qll and add tests 2021-06-10 10:43:39 +01:00
Owen Mansel-Chan
d1fe62d4d5 (Minor) Update comments to match ExternalFlow docs 2021-06-10 10:43:38 +01:00
Owen Mansel-Chan
1ae9d68409 Move and convert URL redirect sinks
Adds for them as well
2021-06-10 10:43:37 +01:00
Owen Mansel-Chan
f2ff2aa3e1 Add flow tests for JAX-RS 2021-06-10 10:43:37 +01:00
Owen Mansel-Chan
155d63d5f7 Add tests for JAX-RS 2021-06-10 10:43:36 +01:00
Owen Mansel-Chan
f63fd68bfb Fix models to work with collection flow
And also removal of `Argument` with indices
2021-06-10 10:43:36 +01:00
Owen Mansel-Chan
e929de98ec Delete duplicated taint summary rows 2021-06-10 10:43:35 +01:00
Owen Mansel-Chan
2b8bb5c231 Fix JAX-RS models 2021-06-10 10:43:35 +01:00
Owen Mansel-Chan
baa21c5bcf Manually comment out parts of stubs
This is to avoid having to make more stubs, which we don't really need
2021-06-10 10:43:34 +01:00
Owen Mansel-Chan
caf96b01e1 Stubs in javax-ws-rs-api-2.1.1
Generated using java-autostub
2021-06-10 10:43:34 +01:00
Owen Mansel-Chan
7b3acd8b45 (Minor) Add missing this. 2021-06-10 10:43:33 +01:00
Owen Mansel-Chan
07f7fd0342 Add missing QLDocs in JaxWS.qll
And correct one QLDoc
2021-06-10 10:43:15 +01:00
Tamas Vajk
b067309909 Change artifact names 2021-06-10 11:26:07 +02:00
Tamas Vajk
73aaeb4c0d Change workflow names 2021-06-10 11:01:45 +02:00
Tamas Vajk
55dd6ed3d1 Allow space separated package patterns in framework-aggregated reports 2021-06-10 10:54:12 +02:00
Tamas Vajk
74c00383d2 Update java framework coverage reports 2021-06-10 10:26:34 +02:00
Tamas Vajk
3605b9f720 Update java framework data 2021-06-10 10:11:24 +02:00
Tamas Vajk
ba9c2e0702 Rework CSV report generator and change timeseries report to use framework.csv 2021-06-10 10:11:24 +02:00
Tamas Vajk
c6cb7c6eed Rename time-series file to timeseries 2021-06-10 10:11:24 +02:00
Tamas Vajk
d0ec1e2f37 Generate file with package info 2021-06-10 10:11:24 +02:00
Tamas Vajk
3353c3ecdd Add workflow to generate timeseries CSV coverage report 2021-06-10 10:11:24 +02:00
Tamas Vajk
4de4277a8d Add timeseries CSV generator script 2021-06-10 10:11:23 +02:00
Tamas Vajk
270cf62f08 Fix variable reference 2021-06-10 10:11:23 +02:00
Tamas Vajk
49190615a7 Cleanup CSV coverage report generator 2021-06-10 10:11:23 +02:00
Rasmus Wriedt Larsen
7c758f5c81 Python: Add change-note for twisted 2021-06-08 16:20:29 +02:00
Rasmus Wriedt Larsen
23f668f8ee Python: Model redirects in twisted 2021-06-08 16:16:56 +02:00
Owen Mansel-Chan
2cb76fe407 Test JAX-WS endpoints 2021-06-08 15:12:04 +01:00
Owen Mansel-Chan
d9cf1aaf39 Add stubs for JAX-WS 2021-06-08 15:12:04 +01:00
Chris Smowton
55d584b044 Add doc comment for JaxWS file 2021-06-08 15:12:03 +01:00
Chris Smowton
f71897d166 Rename JAX-WS -> JAX-RS where necessary. Improve change note and fix missing QLDoc. 2021-06-08 15:12:03 +01:00
Chris Smowton
ca684bea0e Jax-WS: support jakarta.ws.rs package everywhere
Releases since Java EE 9 use this.
2021-06-08 15:12:02 +01:00
Chris Smowton
adb5764aac Add URL redirect sinks relating to JAX-WS 2021-06-08 15:12:02 +01:00
Chris Smowton
260a228367 Add change note 2021-06-08 15:12:02 +01:00
Chris Smowton
314980c64c Model taint-propagating methods in the core JAX-WS library. 2021-06-08 15:11:57 +01:00
Rasmus Wriedt Larsen
a21039170b Python: Model (most of) twisted 2021-06-08 16:11:18 +02:00
Chris Smowton
9335e095a9 MIME type -> content type
This matches the terminology used elsewhere
2021-06-08 15:05:28 +01:00
Chris Smowton
5f7165efbb Add JaxWS XSS sink
Based on d44e4d0e63 by @lcartey
2021-06-08 15:05:27 +01:00
lcartey@github.com
cc497bf213 Java: Improve JaxRS modelling
- Handle inherited annotations
 - Fix `ResponseBuilder` charpred.
 - Model `@Produces` annotations.
2021-06-08 15:05:14 +01:00
Rasmus Wriedt Larsen
151a733ff2 Python: Add tests for twisted
These were largely based on the old tests in
6011cb74f8/python/ql/test/library-tests/web/twisted/test.py
2021-06-08 15:27:51 +02:00
haby0
d6782767b7 Fix typos 2021-05-31 11:12:22 +08:00
Rasmus Wriedt Larsen
1b3f857a2f Python: Promote ClickHouse SQL models 2021-05-25 16:27:23 +02:00
Rasmus Wriedt Larsen
eb1da152a0 Python: Rewrite ClickHouse SQL lib modeling
This did turn into a few changes, that maybe could have been split into
separate PRs 🤷

* Rename `ClickHouseDriver` => `ClickhouseDriver`, to better follow
  import name in `.qll` name
* Rewrote modeling to use API graphs
* Split modeling of `aioch` into separate `.qll` file, which does re-use
  the `getExecuteMethodName` predicate. I feel that sharing code between
  the modeling like this was the best approach, and stuck the
  `INTERNAL: Do not use.` labels on both modules.
* I also added handling of keyword arguments (see change in .py files)
2021-05-25 16:13:31 +02:00
Rasmus Wriedt Larsen
c9a9535dbc Python: Use ConceptsTests for ClickHouse SQL libs
This did reveal a few places where we do not detect the incoming SQL
2021-05-25 16:10:06 +02:00
Rasmus Wriedt Larsen
ee3477c20a Python: Remove dummy clickhouse SQL injection query 2021-05-25 14:27:29 +02:00
Rasmus Wriedt Larsen
c4e244eb80 Python: Add getAwaited to API::Node
I _really_ wanted to call this `.await()`, but that did not fit in with
the convention, or the corresponding `getPromised` in JS.

54f191cfe3/javascript/ql/src/semmle/javascript/ApiGraphs.qll (L184)
2021-05-21 17:11:20 +02:00
Rasmus Wriedt Larsen
e29b7568bf Python: Add missing QLDoc for subclass label 2021-05-21 16:17:17 +02:00
Rasmus Wriedt Larsen
2408573a0a Python: Add API graph test for calling coroutines 2021-05-21 16:08:15 +02:00
Rasmus Wriedt Larsen
7a5fd02442 Python: API graph tests: add --max-import-depth=1
Before this, I ended up extracting 454 modules locally 😱
2021-05-21 15:58:15 +02:00
Rasmus Wriedt Larsen
9a4709c134 Python: API graph tests: Disallow results outside project
Running the tests locally would result in thousands of results before
this 😱
2021-05-21 15:57:10 +02:00
haby0
689c28a178 modified JsonIoSafeOptionalArgs 2021-05-17 19:00:59 +08:00
haby0
95c33a240f Update java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md
Co-authored-by: Chris Smowton <smowton@github.com>
2021-05-17 18:49:16 +08:00
haby0
58d774ae85 add change notes 2021-05-17 14:52:05 +08:00
haby0
60fc607449 Modify ql 2021-05-14 18:17:05 +08:00
haby0
12f47bcf24 Add UnsafeDeserialization 2021-05-12 12:37:16 +08:00
1106 changed files with 157688 additions and 3704 deletions

View File

@@ -0,0 +1,87 @@
name: Check framework coverage changes
on:
pull_request:
paths:
- '.github/workflows/csv-coverage-pr-comment.yml'
- '*/ql/src/**/*.ql'
- '*/ql/src/**/*.qll'
- 'misc/scripts/library-coverage/*.py'
# input data files
- '*/documentation/library-coverage/cwe-sink.csv'
- '*/documentation/library-coverage/frameworks.csv'
branches:
- main
- 'rc/*'
jobs:
generate:
name: Generate framework coverage artifacts
runs-on: ubuntu-latest
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
run: echo "$GITHUB_CONTEXT"
- name: Clone self (github/codeql) - MERGE
uses: actions/checkout@v2
with:
path: merge
- name: Clone self (github/codeql) - BASE
uses: actions/checkout@v2
with:
fetch-depth: 2
path: base
- run: |
git checkout HEAD^1
git log -1 --format='%H'
working-directory: base
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Download CodeQL CLI
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
- name: Unzip CodeQL CLI
run: unzip -d codeql-cli codeql-linux64.zip
- name: Generate CSV files on merge and base of the PR
run: |
echo "Running generator on merge"
PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
mkdir out_merge
cp framework-coverage-*.csv out_merge/
cp framework-coverage-*.rst out_merge/
echo "Running generator on base"
PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
mkdir out_base
cp framework-coverage-*.csv out_base/
cp framework-coverage-*.rst out_base/
- name: Upload CSV package list
uses: actions/upload-artifact@v2
with:
name: csv-framework-coverage-merge
path: |
out_merge/framework-coverage-*.csv
out_merge/framework-coverage-*.rst
- name: Upload CSV package list
uses: actions/upload-artifact@v2
with:
name: csv-framework-coverage-base
path: |
out_base/framework-coverage-*.csv
out_base/framework-coverage-*.rst
- name: Save PR number
run: |
mkdir -p pr
echo ${{ github.event.pull_request.number }} > pr/NR
- name: Upload PR number
uses: actions/upload-artifact@v2
with:
name: pr
path: pr/

View File

@@ -0,0 +1,65 @@
name: Comment on PR with framework coverage changes
on:
workflow_run:
workflows: ["Check framework coverage changes"]
types:
- completed
jobs:
check:
name: Check framework coverage differences and comment
runs-on: ubuntu-latest
if: >
${{ github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success' }}
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
run: echo "$GITHUB_CONTEXT"
- name: Clone self (github/codeql)
uses: actions/checkout@v2
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
# download artifacts from the PR job:
- name: Download artifact - MERGE
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RUN_ID: ${{ github.event.workflow_run.id }}
run: |
gh run download --name "csv-framework-coverage-merge" --dir "out_merge" "$RUN_ID"
- name: Download artifact - BASE
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RUN_ID: ${{ github.event.workflow_run.id }}
run: |
gh run download --name "csv-framework-coverage-base" --dir "out_base" "$RUN_ID"
- name: Download artifact - PR
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RUN_ID: ${{ github.event.workflow_run.id }}
run: |
gh run download --name "pr" --dir "pr" "$RUN_ID"
- name: Check coverage files
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RUN_ID: ${{ github.event.workflow_run.id }}
run: |
PR=$(cat "pr/NR")
python misc/scripts/library-coverage/compare-files-comment-pr.py \
out_base out_merge comparison.md "$GITHUB_REPOSITORY" "$PR" "$RUN_ID"
- name: Upload comparison results
uses: actions/upload-artifact@v2
with:
name: comparison
path: |
comparison.md

View File

@@ -0,0 +1,42 @@
name: Build framework coverage timeseries reports
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Clone self (github/codeql)
uses: actions/checkout@v2
with:
path: script
- name: Clone self (github/codeql) for analysis
uses: actions/checkout@v2
with:
path: codeqlModels
fetch-depth: 0
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Download CodeQL CLI
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
- name: Unzip CodeQL CLI
run: unzip -d codeql-cli codeql-linux64.zip
- name: Build modeled package list
run: |
CLI=$(realpath "codeql-cli/codeql")
echo $CLI
PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
- name: Upload timeseries CSV
uses: actions/upload-artifact@v2
with:
name: framework-coverage-timeseries
path: framework-coverage-timeseries-*.csv

View File

@@ -1,4 +1,4 @@
name: Build/check CSV flow coverage report name: Build framework coverage reports
on: on:
workflow_dispatch: workflow_dispatch:
@@ -6,22 +6,6 @@ on:
qlModelShaOverride: qlModelShaOverride:
description: 'github/codeql repo SHA used for looking up the CSV models' description: 'github/codeql repo SHA used for looking up the CSV models'
required: false required: false
push:
branches:
- main
- 'rc/**'
pull_request:
paths:
- '.github/workflows/csv-coverage.yml'
- '*/ql/src/**/*.ql'
- '*/ql/src/**/*.qll'
- 'misc/scripts/library-coverage/*.py'
# input data files
- '*/documentation/library-coverage/cwe-sink.csv'
- '*/documentation/library-coverage/frameworks.csv'
# coverage report files
- '*/documentation/library-coverage/flow-model-coverage.csv'
- '*/documentation/library-coverage/flow-model-coverage.rst'
jobs: jobs:
build: build:
@@ -33,28 +17,20 @@ jobs:
uses: actions/checkout@v2 uses: actions/checkout@v2
with: with:
path: script path: script
- name: Clone self (github/codeql) at a given SHA for analysis
if: github.event.inputs.qlModelShaOverride != ''
uses: actions/checkout@v2
with:
path: codeqlModels
ref: github.event.inputs.qlModelShaOverride
- name: Clone self (github/codeql) for analysis - name: Clone self (github/codeql) for analysis
if: github.event.inputs.qlModelShaOverride == ''
uses: actions/checkout@v2 uses: actions/checkout@v2
with: with:
path: codeqlModels path: codeqlModels
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
- name: Set up Python 3.8 - name: Set up Python 3.8
uses: actions/setup-python@v2 uses: actions/setup-python@v2
with: with:
python-version: 3.8 python-version: 3.8
- name: Download CodeQL CLI - name: Download CodeQL CLI
uses: dsaltares/fetch-gh-release-asset@aa37ae5c44d3c9820bc12fe675e8670ecd93bd1c env:
with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
repo: "github/codeql-cli-binaries" run: |
version: "latest" gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
file: "codeql-linux64.zip"
token: ${{ secrets.GITHUB_TOKEN }}
- name: Unzip CodeQL CLI - name: Unzip CodeQL CLI
run: unzip -d codeql-cli codeql-linux64.zip run: unzip -d codeql-cli codeql-linux64.zip
- name: Build modeled package list - name: Build modeled package list
@@ -63,15 +39,11 @@ jobs:
- name: Upload CSV package list - name: Upload CSV package list
uses: actions/upload-artifact@v2 uses: actions/upload-artifact@v2
with: with:
name: csv-flow-model-coverage name: framework-coverage-csv
path: flow-model-coverage-*.csv path: framework-coverage-*.csv
- name: Upload RST package list - name: Upload RST package list
uses: actions/upload-artifact@v2 uses: actions/upload-artifact@v2
with: with:
name: rst-flow-model-coverage name: framework-coverage-rst
path: flow-model-coverage-*.rst path: framework-coverage-*.rst
# - name: Check coverage files
# if: github.event.pull_request
# run: |
# python script/misc/scripts/library-coverage/compare-files.py codeqlModels

View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been further improved to reduce false positives and its `@precision` increased to `high`.

View File

@@ -5,7 +5,7 @@
* @kind problem * @kind problem
* @id cpp/offset-use-before-range-check * @id cpp/offset-use-before-range-check
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.2
* @precision medium * @precision medium
* @tags reliability * @tags reliability
* security * security

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/descriptor-may-not-be-closed * @id cpp/descriptor-may-not-be-closed
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 7.8
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-775 * external/cwe/cwe-775

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/descriptor-never-closed * @id cpp/descriptor-never-closed
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 7.8
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-775 * external/cwe/cwe-775

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/file-may-not-be-closed * @id cpp/file-may-not-be-closed
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 7.8
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-775 * external/cwe/cwe-775

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/file-never-closed * @id cpp/file-never-closed
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 7.8
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-775 * external/cwe/cwe-775

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/global-use-before-init * @id cpp/global-use-before-init
* @problem.severity warning * @problem.severity warning
* @security-severity 6.9 * @security-severity 7.8
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-457 * external/cwe/cwe-457

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/inconsistent-nullness-testing * @id cpp/inconsistent-nullness-testing
* @problem.severity warning * @problem.severity warning
* @security-severity 3.6 * @security-severity 7.5
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-476 * external/cwe/cwe-476

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/initialization-not-run * @id cpp/initialization-not-run
* @problem.severity warning * @problem.severity warning
* @security-severity 6.4 * @security-severity 7.5
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-456 * external/cwe/cwe-456

View File

@@ -6,7 +6,7 @@
* @kind problem * @kind problem
* @id cpp/late-negative-test * @id cpp/late-negative-test
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0 * @security-severity 9.3
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-823 * external/cwe/cwe-823

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/memory-may-not-be-freed * @id cpp/memory-may-not-be-freed
* @problem.severity warning * @problem.severity warning
* @security-severity 3.6 * @security-severity 7.5
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-401 * external/cwe/cwe-401

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/memory-never-freed * @id cpp/memory-never-freed
* @problem.severity warning * @problem.severity warning
* @security-severity 3.6 * @security-severity 7.5
* @tags efficiency * @tags efficiency
* security * security
* external/cwe/cwe-401 * external/cwe/cwe-401

View File

@@ -5,7 +5,7 @@
* @kind problem * @kind problem
* @id cpp/missing-negativity-test * @id cpp/missing-negativity-test
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0 * @security-severity 9.3
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-823 * external/cwe/cwe-823

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/missing-null-test * @id cpp/missing-null-test
* @problem.severity recommendation * @problem.severity recommendation
* @security-severity 3.6 * @security-severity 7.5
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-476 * external/cwe/cwe-476

View File

@@ -3,7 +3,7 @@
* @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'. * @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 3.6 * @security-severity 7.5
* @precision high * @precision high
* @id cpp/new-free-mismatch * @id cpp/new-free-mismatch
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/overflow-calculated * @id cpp/overflow-calculated
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 9.8
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-131 * external/cwe/cwe-131

View File

@@ -5,7 +5,7 @@
* @kind problem * @kind problem
* @id cpp/overflow-destination * @id cpp/overflow-destination
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0 * @security-severity 9.3
* @precision low * @precision low
* @tags reliability * @tags reliability
* security * security

View File

@@ -4,7 +4,7 @@
* may result in a buffer overflow. * may result in a buffer overflow.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0 * @security-severity 9.3
* @precision medium * @precision medium
* @id cpp/static-buffer-overflow * @id cpp/static-buffer-overflow
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/return-stack-allocated-object * @id cpp/return-stack-allocated-object
* @problem.severity warning * @problem.severity warning
* @security-severity 2.9 * @security-severity 2.1
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-562 * external/cwe/cwe-562

View File

@@ -4,7 +4,7 @@
* an instance of the type of the pointer may result in a buffer overflow * an instance of the type of the pointer may result in a buffer overflow
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.4 * @security-severity 8.1
* @precision medium * @precision medium
* @id cpp/allocation-too-small * @id cpp/allocation-too-small
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,7 @@
* multiple instances of the type of the pointer may result in a buffer overflow * multiple instances of the type of the pointer may result in a buffer overflow
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.4 * @security-severity 8.1
* @precision medium * @precision medium
* @id cpp/suspicious-allocation-size * @id cpp/suspicious-allocation-size
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/use-after-free * @id cpp/use-after-free
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 9.3
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-416 * external/cwe/cwe-416

View File

@@ -6,7 +6,7 @@
* to a larger type. * to a larger type.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9 * @security-severity 8.1
* @precision very-high * @precision very-high
* @id cpp/bad-addition-overflow-check * @id cpp/bad-addition-overflow-check
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,7 @@
* be a sign that the result can overflow the type converted from. * be a sign that the result can overflow the type converted from.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.1
* @precision high * @precision high
* @id cpp/integer-multiplication-cast-to-long * @id cpp/integer-multiplication-cast-to-long
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,7 @@
* unsigned integer values. * unsigned integer values.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.1
* @precision high * @precision high
* @id cpp/signed-overflow-check * @id cpp/signed-overflow-check
* @tags correctness * @tags correctness

View File

@@ -6,7 +6,7 @@
* use the width of the base type, leading to misaligned reads. * use the width of the base type, leading to misaligned reads.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0 * @security-severity 9.3
* @precision high * @precision high
* @id cpp/upcast-array-pointer-arithmetic * @id cpp/upcast-array-pointer-arithmetic
* @tags correctness * @tags correctness

View File

@@ -6,7 +6,7 @@
* from an untrusted source, this can be used for exploits. * from an untrusted source, this can be used for exploits.
* @kind problem * @kind problem
* @problem.severity recommendation * @problem.severity recommendation
* @security-severity 6.9 * @security-severity 9.3
* @precision high * @precision high
* @id cpp/non-constant-format * @id cpp/non-constant-format
* @tags maintainability * @tags maintainability

View File

@@ -3,7 +3,7 @@
* @description Using the return value from snprintf without proper checks can cause overflow. * @description Using the return value from snprintf without proper checks can cause overflow.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.1
* @precision high * @precision high
* @id cpp/overflowing-snprintf * @id cpp/overflowing-snprintf
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,7 @@
* a source of security issues. * a source of security issues.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 2.9 * @security-severity 5.0
* @precision high * @precision high
* @id cpp/wrong-number-format-arguments * @id cpp/wrong-number-format-arguments
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,7 @@
* behavior. * behavior.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 6.4 * @security-severity 7.5
* @precision high * @precision high
* @id cpp/wrong-type-format-argument * @id cpp/wrong-type-format-argument
* @tags reliability * @tags reliability

View File

@@ -6,7 +6,7 @@
* @kind problem * @kind problem
* @id cpp/incorrect-not-operator-usage * @id cpp/incorrect-not-operator-usage
* @problem.severity warning * @problem.severity warning
* @security-severity 3.6 * @security-severity 7.5
* @precision medium * @precision medium
* @tags security * @tags security
* external/cwe/cwe-480 * external/cwe/cwe-480

View File

@@ -3,7 +3,7 @@
* @description Using alloca in a loop can lead to a stack overflow * @description Using alloca in a loop can lead to a stack overflow
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 3.6 * @security-severity 7.5
* @precision high * @precision high
* @id cpp/alloca-in-loop * @id cpp/alloca-in-loop
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,7 @@
* @kind problem * @kind problem
* @id cpp/improper-null-termination * @id cpp/improper-null-termination
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 7.8
* @tags security * @tags security
* external/cwe/cwe-170 * external/cwe/cwe-170
* external/cwe/cwe-665 * external/cwe/cwe-665

View File

@@ -4,7 +4,7 @@
* on undefined behavior and may lead to memory corruption. * on undefined behavior and may lead to memory corruption.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 2.9 * @security-severity 2.1
* @precision high * @precision high
* @id cpp/pointer-overflow-check * @id cpp/pointer-overflow-check
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,7 @@
* as the third argument may result in a buffer overflow. * as the third argument may result in a buffer overflow.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0 * @security-severity 9.3
* @precision medium * @precision medium
* @id cpp/bad-strncpy-size * @id cpp/bad-strncpy-size
* @tags reliability * @tags reliability

View File

@@ -3,7 +3,7 @@
* @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow. * @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 10.0 * @security-severity 9.3
* @precision medium * @precision medium
* @id cpp/unsafe-strncat * @id cpp/unsafe-strncat
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,7 @@
* the machine pointer size. * the machine pointer size.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.8
* @precision medium * @precision medium
* @id cpp/suspicious-sizeof * @id cpp/suspicious-sizeof
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,7 @@
* @kind problem * @kind problem
* @id cpp/uninitialized-local * @id cpp/uninitialized-local
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 7.8
* @precision medium * @precision medium
* @tags security * @tags security
* external/cwe/cwe-665 * external/cwe/cwe-665

View File

@@ -4,7 +4,7 @@
* may result in a buffer overflow * may result in a buffer overflow
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 9.8
* @precision medium * @precision medium
* @id cpp/unsafe-strcat * @id cpp/unsafe-strcat
* @tags reliability * @tags reliability

View File

@@ -6,7 +6,7 @@
* @kind problem * @kind problem
* @id cpp/self-assignment-check * @id cpp/self-assignment-check
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 7.0
* @tags reliability * @tags reliability
* security * security
* external/cwe/cwe-826 * external/cwe/cwe-826

View File

@@ -6,7 +6,7 @@
* @kind path-problem * @kind path-problem
* @id cpp/unsafe-use-of-this * @id cpp/unsafe-use-of-this
* @problem.severity error * @problem.severity error
* @security-severity 3.6 * @security-severity 7.5
* @precision very-high * @precision very-high
* @tags correctness * @tags correctness
* language-features * language-features

View File

@@ -7,7 +7,7 @@
* undefined data. * undefined data.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 2.9 * @security-severity 5.0
* @precision very-high * @precision very-high
* @id cpp/too-few-arguments * @id cpp/too-few-arguments
* @tags correctness * @tags correctness

View File

@@ -5,7 +5,7 @@
* @kind problem * @kind problem
* @id cpp/memset-may-be-deleted * @id cpp/memset-may-be-deleted
* @problem.severity warning * @problem.severity warning
* @security-severity 6.4 * @security-severity 7.8
* @precision high * @precision high
* @tags security * @tags security
* external/cwe/cwe-14 * external/cwe/cwe-14

View File

@@ -5,7 +5,7 @@
* @kind path-problem * @kind path-problem
* @precision low * @precision low
* @problem.severity error * @problem.severity error
* @security-severity 5.9 * @security-severity 7.8
* @tags security external/cwe/cwe-20 * @tags security external/cwe/cwe-20
*/ */

View File

@@ -5,7 +5,7 @@
* @kind path-problem * @kind path-problem
* @precision low * @precision low
* @problem.severity error * @problem.severity error
* @security-severity 5.9 * @security-severity 7.8
* @tags security external/cwe/cwe-20 * @tags security external/cwe/cwe-20
*/ */

View File

@@ -4,7 +4,7 @@
* attacker to access unexpected resources. * attacker to access unexpected resources.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.4 * @security-severity 7.5
* @precision medium * @precision medium
* @id cpp/path-injection * @id cpp/path-injection
* @tags security * @tags security

View File

@@ -5,7 +5,7 @@
* to command injection. * to command injection.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9 * @security-severity 9.8
* @precision low * @precision low
* @id cpp/command-line-injection * @id cpp/command-line-injection
* @tags security * @tags security

View File

@@ -4,7 +4,7 @@
* allows for a cross-site scripting vulnerability. * allows for a cross-site scripting vulnerability.
* @kind path-problem * @kind path-problem
* @problem.severity error * @problem.severity error
* @security-severity 2.9 * @security-severity 6.1
* @precision high * @precision high
* @id cpp/cgi-xss * @id cpp/cgi-xss
* @tags security * @tags security

View File

@@ -5,7 +5,7 @@
* to SQL Injection. * to SQL Injection.
* @kind path-problem * @kind path-problem
* @problem.severity error * @problem.severity error
* @security-severity 6.4 * @security-severity 8.8
* @precision high * @precision high
* @id cpp/sql-injection * @id cpp/sql-injection
* @tags security * @tags security

View File

@@ -5,7 +5,7 @@
* commands. * commands.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.0 * @security-severity 8.2
* @precision medium * @precision medium
* @id cpp/uncontrolled-process-operation * @id cpp/uncontrolled-process-operation
* @tags security * @tags security

View File

@@ -6,7 +6,7 @@
* @kind problem * @kind problem
* @id cpp/overflow-buffer * @id cpp/overflow-buffer
* @problem.severity recommendation * @problem.severity recommendation
* @security-severity 10.0 * @security-severity 9.3
* @tags security * @tags security
* external/cwe/cwe-119 * external/cwe/cwe-119
* external/cwe/cwe-121 * external/cwe/cwe-121

View File

@@ -5,7 +5,7 @@
* overflow. * overflow.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9 * @security-severity 9.3
* @precision high * @precision high
* @id cpp/badly-bounded-write * @id cpp/badly-bounded-write
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,7 @@
* of data written may overflow. * of data written may overflow.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9 * @security-severity 9.3
* @precision medium * @precision medium
* @id cpp/overrunning-write * @id cpp/overrunning-write
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,7 @@
* take extreme values. * take extreme values.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9 * @security-severity 9.3
* @precision medium * @precision medium
* @id cpp/overrunning-write-with-float * @id cpp/overrunning-write-with-float
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,7 @@
* of data written may overflow. * of data written may overflow.
* @kind path-problem * @kind path-problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9 * @security-severity 9.3
* @precision medium * @precision medium
* @id cpp/unbounded-write * @id cpp/unbounded-write
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,7 @@
* a specific value to terminate the argument list. * a specific value to terminate the argument list.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.8
* @precision medium * @precision medium
* @id cpp/unterminated-variadic-call * @id cpp/unterminated-variadic-call
* @tags reliability * @tags reliability

View File

@@ -6,7 +6,7 @@
* @kind problem * @kind problem
* @id cpp/unclear-array-index-validation * @id cpp/unclear-array-index-validation
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.8
* @tags security * @tags security
* external/cwe/cwe-129 * external/cwe/cwe-129
*/ */

View File

@@ -5,7 +5,7 @@
* terminator can cause a buffer overrun. * terminator can cause a buffer overrun.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9 * @security-severity 9.8
* @precision high * @precision high
* @id cpp/no-space-for-terminator * @id cpp/no-space-for-terminator
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,7 @@
* or data representation problems. * or data representation problems.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.9 * @security-severity 9.3
* @precision high * @precision high
* @id cpp/tainted-format-string * @id cpp/tainted-format-string
* @tags reliability * @tags reliability

View File

@@ -5,7 +5,7 @@
* or data representation problems. * or data representation problems.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.9 * @security-severity 9.3
* @precision high * @precision high
* @id cpp/tainted-format-string-through-global * @id cpp/tainted-format-string-through-global
* @tags reliability * @tags reliability

View File

@@ -2,9 +2,9 @@
* @name User-controlled data in arithmetic expression * @name User-controlled data in arithmetic expression
* @description Arithmetic operations on user-controlled data that is * @description Arithmetic operations on user-controlled data that is
* not validated can cause overflows. * not validated can cause overflows.
* @kind problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.6
* @precision low * @precision low
* @id cpp/tainted-arithmetic * @id cpp/tainted-arithmetic
* @tags security * @tags security
@@ -16,22 +16,39 @@ import cpp
import semmle.code.cpp.security.Overflow import semmle.code.cpp.security.Overflow
import semmle.code.cpp.security.Security import semmle.code.cpp.security.Security
import semmle.code.cpp.security.TaintTracking import semmle.code.cpp.security.TaintTracking
import TaintedWithPath
import Bounded
from Expr origin, Operation op, Expr e, string effect bindingset[op]
predicate missingGuard(Operation op, Expr e, string effect) {
missingGuardAgainstUnderflow(op, e) and effect = "underflow"
or
missingGuardAgainstOverflow(op, e) and effect = "overflow"
or
not e instanceof VariableAccess and effect = "overflow"
}
class Configuration extends TaintTrackingConfiguration {
override predicate isSink(Element e) {
exists(Operation op |
missingGuard(op, e, _) and
op.getAnOperand() = e
|
op instanceof UnaryArithmeticOperation or
op instanceof BinaryArithmeticOperation
)
}
override predicate isBarrier(Expr e) {
super.isBarrier(e) or bounded(e) or e.getUnspecifiedType().(IntegralType).getSize() <= 1
}
}
from Expr origin, Expr e, string effect, PathNode sourceNode, PathNode sinkNode, Operation op
where where
isUserInput(origin, _) and taintedWithPath(origin, e, sourceNode, sinkNode) and
tainted(origin, e) and
op.getAnOperand() = e and op.getAnOperand() = e and
( missingGuard(op, e, effect)
missingGuardAgainstUnderflow(op, e) and effect = "underflow" select e, sourceNode, sinkNode,
or "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
missingGuardAgainstOverflow(op, e) and effect = "overflow" "User-provided value"
or
not e instanceof VariableAccess and effect = "overflow"
) and
(
op instanceof UnaryArithmeticOperation or
op instanceof BinaryArithmeticOperation
)
select e, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
origin, "User-provided value"

View File

@@ -4,7 +4,7 @@
* validated can cause overflows. * validated can cause overflows.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.6
* @precision medium * @precision medium
* @id cpp/uncontrolled-arithmetic * @id cpp/uncontrolled-arithmetic
* @tags security * @tags security
@@ -16,8 +16,8 @@ import cpp
import semmle.code.cpp.security.Overflow import semmle.code.cpp.security.Overflow
import semmle.code.cpp.security.Security import semmle.code.cpp.security.Security
import semmle.code.cpp.security.TaintTracking import semmle.code.cpp.security.TaintTracking
import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
import TaintedWithPath import TaintedWithPath
import Bounded
predicate isUnboundedRandCall(FunctionCall fc) { predicate isUnboundedRandCall(FunctionCall fc) {
exists(Function func | func = fc.getTarget() | exists(Function func | func = fc.getTarget() |
@@ -27,74 +27,6 @@ predicate isUnboundedRandCall(FunctionCall fc) {
) )
} }
/**
* An operand `e` of a division expression (i.e., `e` is an operand of either a `DivExpr` or
* a `AssignDivExpr`) is bounded when `e` is the left-hand side of the division.
*/
pragma[inline]
predicate boundedDiv(Expr e, Expr left) { e = left }
/**
* An operand `e` of a remainder expression `rem` (i.e., `rem` is either a `RemExpr` or
* an `AssignRemExpr`) with left-hand side `left` and right-ahnd side `right` is bounded
* when `e` is `left` and `right` is upper bounded by some number that is less than the maximum integer
* allowed by the result type of `rem`.
*/
pragma[inline]
predicate boundedRem(Expr e, Expr rem, Expr left, Expr right) {
e = left and
upperBound(right.getFullyConverted()) < exprMaxVal(rem.getFullyConverted())
}
/**
* An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
* or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
* bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
*/
pragma[inline]
predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
operand1 != operand2 and
e = operand1 and
upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
}
/**
* Holds if `fc` is a part of the left operand of a binary operation that greatly reduces the range
* of possible values.
*/
predicate bounded(Expr e) {
// For `%` and `&` we require that `e` is bounded by a value that is strictly smaller than the
// maximum possible value of the result type of the operation.
// For example, the function call `rand()` is considered bounded in the following program:
// ```
// int i = rand() % (UINT8_MAX + 1);
// ```
// but not in:
// ```
// unsigned char uc = rand() % (UINT8_MAX + 1);
// ```
exists(RemExpr rem | boundedRem(e, rem, rem.getLeftOperand(), rem.getRightOperand()))
or
exists(AssignRemExpr rem | boundedRem(e, rem, rem.getLValue(), rem.getRValue()))
or
exists(BitwiseAndExpr andExpr |
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
)
or
exists(AssignAndExpr andExpr |
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
)
or
// Optimitically assume that a division always yields a much smaller value.
boundedDiv(e, any(DivExpr div).getLeftOperand())
or
boundedDiv(e, any(AssignDivExpr div).getLValue())
or
boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
or
boundedDiv(e, any(AssignRShiftExpr div).getLValue())
}
predicate isUnboundedRandCallOrParent(Expr e) { predicate isUnboundedRandCallOrParent(Expr e) {
isUnboundedRandCall(e) isUnboundedRandCall(e)
or or

View File

@@ -6,7 +6,7 @@
* @kind problem * @kind problem
* @id cpp/arithmetic-with-extreme-values * @id cpp/arithmetic-with-extreme-values
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.6
* @precision low * @precision low
* @tags security * @tags security
* reliability * reliability

View File

@@ -0,0 +1,83 @@
/**
* This file provides the `bounded` predicate that is used in both `cpp/uncontrolled-arithmetic`
* and `cpp/tainted-arithmetic`.
*/
private import cpp
private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
/**
* An operand `e` of a division expression (i.e., `e` is an operand of either a `DivExpr` or
* a `AssignDivExpr`) is bounded when `e` is the left-hand side of the division.
*/
pragma[inline]
private predicate boundedDiv(Expr e, Expr left) { e = left }
/**
* An operand `e` of a remainder expression `rem` (i.e., `rem` is either a `RemExpr` or
* an `AssignRemExpr`) with left-hand side `left` and right-ahnd side `right` is bounded
* when `e` is `left` and `right` is upper bounded by some number that is less than the maximum integer
* allowed by the result type of `rem`.
*/
pragma[inline]
private predicate boundedRem(Expr e, Expr rem, Expr left, Expr right) {
e = left and
upperBound(right.getFullyConverted()) < exprMaxVal(rem.getFullyConverted())
}
/**
* An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
* or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
* bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
*/
pragma[inline]
private predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
operand1 != operand2 and
e = operand1 and
upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
}
/**
* Holds if `e` is an arithmetic expression that cannot overflow, or if `e` is an operand of an
* operation that may greatly reduce the range of possible values.
*/
predicate bounded(Expr e) {
(
e instanceof UnaryArithmeticOperation or
e instanceof BinaryArithmeticOperation or
e instanceof AssignArithmeticOperation
) and
not convertedExprMightOverflow(e)
or
// For `%` and `&` we require that `e` is bounded by a value that is strictly smaller than the
// maximum possible value of the result type of the operation.
// For example, the function call `rand()` is considered bounded in the following program:
// ```
// int i = rand() % (UINT8_MAX + 1);
// ```
// but not in:
// ```
// unsigned char uc = rand() % (UINT8_MAX + 1);
// ```
exists(RemExpr rem | boundedRem(e, rem, rem.getLeftOperand(), rem.getRightOperand()))
or
exists(AssignRemExpr rem | boundedRem(e, rem, rem.getLValue(), rem.getRValue()))
or
exists(BitwiseAndExpr andExpr |
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
)
or
exists(AssignAndExpr andExpr |
boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
)
or
// Optimitically assume that a division always yields a much smaller value.
boundedDiv(e, any(DivExpr div).getLeftOperand())
or
boundedDiv(e, any(AssignDivExpr div).getLValue())
or
boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
or
boundedDiv(e, any(AssignRShiftExpr div).getLValue())
}

View File

@@ -5,7 +5,7 @@
* @id cpp/comparison-with-wider-type * @id cpp/comparison-with-wider-type
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 7.8
* @precision high * @precision high
* @tags reliability * @tags reliability
* security * security

View File

@@ -5,7 +5,7 @@
* @kind problem * @kind problem
* @id cpp/integer-overflow-tainted * @id cpp/integer-overflow-tainted
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.1
* @precision low * @precision low
* @tags security * @tags security
* external/cwe/cwe-190 * external/cwe/cwe-190

View File

@@ -4,7 +4,7 @@
* user can result in integer overflow. * user can result in integer overflow.
* @kind path-problem * @kind path-problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9 * @security-severity 8.1
* @precision medium * @precision medium
* @id cpp/uncontrolled-allocation-size * @id cpp/uncontrolled-allocation-size
* @tags reliability * @tags reliability

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/unsigned-difference-expression-compared-zero * @id cpp/unsigned-difference-expression-compared-zero
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 9.8
* @precision medium * @precision medium
* @tags security * @tags security
* correctness * correctness

View File

@@ -4,7 +4,7 @@
* @kind problem * @kind problem
* @id cpp/hresult-boolean-conversion * @id cpp/hresult-boolean-conversion
* @problem.severity error * @problem.severity error
* @security-severity 4.2 * @security-severity 7.5
* @precision high * @precision high
* @tags security * @tags security
* external/cwe/cwe-253 * external/cwe/cwe-253

View File

@@ -5,7 +5,7 @@
* vulnerable to spoofing attacks. * vulnerable to spoofing attacks.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.8 * @security-severity 8.1
* @precision medium * @precision medium
* @id cpp/user-controlled-bypass * @id cpp/user-controlled-bypass
* @tags security * @tags security

View File

@@ -4,7 +4,7 @@
* to an attacker. * to an attacker.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 7.5
* @precision medium * @precision medium
* @id cpp/cleartext-storage-buffer * @id cpp/cleartext-storage-buffer
* @tags security * @tags security

View File

@@ -4,7 +4,7 @@
* to an attacker. * to an attacker.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.4 * @security-severity 7.5
* @precision medium * @precision medium
* @id cpp/cleartext-storage-file * @id cpp/cleartext-storage-file
* @tags security * @tags security

View File

@@ -4,7 +4,7 @@
* database can expose it to an attacker. * database can expose it to an attacker.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.4 * @security-severity 7.5
* @precision medium * @precision medium
* @id cpp/cleartext-storage-database * @id cpp/cleartext-storage-database
* @tags security * @tags security

View File

@@ -4,8 +4,8 @@
* an attacker to compromise security. * an attacker to compromise security.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.2 * @security-severity 7.5
* @precision medium * @precision high
* @id cpp/weak-cryptographic-algorithm * @id cpp/weak-cryptographic-algorithm
* @tags security * @tags security
* external/cwe/cwe-327 * external/cwe/cwe-327
@@ -70,9 +70,12 @@ EnumConstant getAdditionalEvidenceEnumConst() { isEncryptionAdditionalEvidence(r
predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string description) { predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string description) {
// find use of an insecure algorithm name // find use of an insecure algorithm name
( (
fc.getTarget() = getAnInsecureEncryptionFunction() and exists(FunctionCall fc2 |
blame = fc and fc.getAChild*() = fc2 and
description = "call to " + fc.getTarget().getName() fc2.getTarget() = getAnInsecureEncryptionFunction() and
blame = fc2 and
description = "call to " + fc.getTarget().getName()
)
or or
exists(MacroInvocation mi | exists(MacroInvocation mi |
( (
@@ -93,7 +96,10 @@ predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string d
) and ) and
// find additional evidence that this function is related to encryption. // find additional evidence that this function is related to encryption.
( (
fc.getTarget() = getAnAdditionalEvidenceFunction() exists(FunctionCall fc2 |
fc.getAChild*() = fc2 and
fc2.getTarget() = getAnAdditionalEvidenceFunction()
)
or or
exists(MacroInvocation mi | exists(MacroInvocation mi |
( (
@@ -107,6 +113,27 @@ predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string d
ec = fc.getAnArgument() and ec = fc.getAnArgument() and
ec.getTarget() = getAdditionalEvidenceEnumConst() ec.getTarget() = getAdditionalEvidenceEnumConst()
) )
) and
// exclude calls from templates as this is rarely the right place to flag an
// issue
not fc.isFromTemplateInstantiation(_) and
(
// the function should have an input that looks like a non-constant buffer
exists(Expr e |
fc.getAnArgument() = e and
(
e.getUnspecifiedType() instanceof PointerType or
e.getUnspecifiedType() instanceof ReferenceType or
e.getUnspecifiedType() instanceof ArrayType
) and
not e.getType().isDeeplyConstBelow() and
not e.isConstant()
)
or
// or be a non-const member function of an object
fc.getTarget() instanceof MemberFunction and
not fc.getTarget() instanceof ConstMemberFunction and
not fc.getTarget().isStatic()
) )
} }

View File

@@ -4,7 +4,7 @@
* attackers to retrieve portions of memory. * attackers to retrieve portions of memory.
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.2 * @security-severity 7.5
* @precision very-high * @precision very-high
* @id cpp/openssl-heartbleed * @id cpp/openssl-heartbleed
* @tags security * @tags security

View File

@@ -5,7 +5,7 @@
* the two operations. * the two operations.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 7.7
* @precision medium * @precision medium
* @id cpp/toctou-race-condition * @id cpp/toctou-race-condition
* @tags security * @tags security

View File

@@ -4,7 +4,7 @@
* @id cpp/unsafe-create-process-call * @id cpp/unsafe-create-process-call
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9 * @security-severity 7.8
* @precision medium * @precision medium
* @msrc.severity important * @msrc.severity important
* @tags security * @tags security

View File

@@ -5,7 +5,7 @@
* state, and reading the variable may result in undefined behavior. * state, and reading the variable may result in undefined behavior.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.9 * @security-severity 7.8
* @opaque-id SM02313 * @opaque-id SM02313
* @id cpp/conditionally-uninitialized-variable * @id cpp/conditionally-uninitialized-variable
* @tags security * @tags security

View File

@@ -4,7 +4,7 @@
* can cause buffer overflow conditions. * can cause buffer overflow conditions.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.8
* @precision medium * @precision medium
* @id cpp/suspicious-pointer-scaling * @id cpp/suspicious-pointer-scaling
* @tags security * @tags security

View File

@@ -5,7 +5,7 @@
* @kind problem * @kind problem
* @id cpp/incorrect-pointer-scaling-char * @id cpp/incorrect-pointer-scaling-char
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.8
* @precision low * @precision low
* @tags security * @tags security
* external/cwe/cwe-468 * external/cwe/cwe-468

View File

@@ -4,7 +4,7 @@
* can cause buffer overflow conditions. * can cause buffer overflow conditions.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.8
* @precision medium * @precision medium
* @id cpp/suspicious-pointer-scaling-void * @id cpp/suspicious-pointer-scaling-void
* @tags security * @tags security

View File

@@ -5,7 +5,7 @@
* implicitly scaled. * implicitly scaled.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 8.8
* @precision high * @precision high
* @id cpp/suspicious-add-sizeof * @id cpp/suspicious-add-sizeof
* @tags security * @tags security

View File

@@ -5,7 +5,7 @@
* attack plan. * attack plan.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 3.6 * @security-severity 6.5
* @precision medium * @precision medium
* @id cpp/system-data-exposure * @id cpp/system-data-exposure
* @tags security * @tags security

View File

@@ -6,7 +6,7 @@
* @kind problem * @kind problem
* @id cpp/incorrect-string-type-conversion * @id cpp/incorrect-string-type-conversion
* @problem.severity error * @problem.severity error
* @security-severity 5.9 * @security-severity 8.8
* @precision high * @precision high
* @tags security * @tags security
* external/cwe/cwe-704 * external/cwe/cwe-704

View File

@@ -3,7 +3,7 @@
* @description Creating a file that is world-writable can allow an attacker to write to the file. * @description Creating a file that is world-writable can allow an attacker to write to the file.
* @kind problem * @kind problem
* @problem.severity warning * @problem.severity warning
* @security-severity 5.9 * @security-severity 7.8
* @precision medium * @precision medium
* @id cpp/world-writable-file-creation * @id cpp/world-writable-file-creation
* @tags security * @tags security

View File

@@ -7,7 +7,7 @@
* @id cpp/unsafe-dacl-security-descriptor * @id cpp/unsafe-dacl-security-descriptor
* @kind problem * @kind problem
* @problem.severity error * @problem.severity error
* @security-severity 5.9 * @security-severity 7.8
* @precision high * @precision high
* @tags security * @tags security
* external/cwe/cwe-732 * external/cwe/cwe-732

View File

@@ -5,7 +5,7 @@
* @kind problem * @kind problem
* @id cpp/lock-order-cycle * @id cpp/lock-order-cycle
* @problem.severity error * @problem.severity error
* @security-severity 6.9 * @security-severity 5.0
* @tags security * @tags security
* external/cwe/cwe-764 * external/cwe/cwe-764
* external/cwe/cwe-833 * external/cwe/cwe-833

View File

@@ -5,7 +5,7 @@
* @kind problem * @kind problem
* @id cpp/twice-locked * @id cpp/twice-locked
* @problem.severity error * @problem.severity error
* @security-severity 6.9 * @security-severity 5.0
* @precision low * @precision low
* @tags security * @tags security
* external/cwe/cwe-764 * external/cwe/cwe-764

View File

@@ -5,7 +5,7 @@
* @kind problem * @kind problem
* @id cpp/unreleased-lock * @id cpp/unreleased-lock
* @problem.severity error * @problem.severity error
* @security-severity 6.9 * @security-severity 5.0
* @precision low * @precision low
* @tags security * @tags security
* external/cwe/cwe-764 * external/cwe/cwe-764

View File

@@ -5,7 +5,7 @@
* attack. * attack.
* @kind path-problem * @kind path-problem
* @problem.severity warning * @problem.severity warning
* @security-severity 6.4 * @security-severity 7.5
* @precision medium * @precision medium
* @id cpp/tainted-permissions-check * @id cpp/tainted-permissions-check
* @tags security * @tags security

View File

@@ -6,7 +6,7 @@
* @kind problem * @kind problem
* @id cpp/infinite-loop-with-unsatisfiable-exit-condition * @id cpp/infinite-loop-with-unsatisfiable-exit-condition
* @problem.severity warning * @problem.severity warning
* @security-severity 3.6 * @security-severity 7.5
* @tags security * @tags security
* external/cwe/cwe-835 * external/cwe/cwe-835
*/ */

View File

@@ -2220,7 +2220,9 @@ private module Stage4 {
bindingset[node, cc, config] bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and localFlowEntry(node, config) and
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node)) result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
getNodeEnclosingCallable(node))
} }
private predicate localStep( private predicate localStep(
@@ -3255,7 +3257,9 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and conf = mid.getConfiguration() and
cc = mid.getCallContext() and cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and localCC =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp() ap0 = mid.getAp()
| |
localFlowBigStep(midnode, node, true, _, conf, localCC) and localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2220,7 +2220,9 @@ private module Stage4 {
bindingset[node, cc, config] bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and localFlowEntry(node, config) and
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node)) result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
getNodeEnclosingCallable(node))
} }
private predicate localStep( private predicate localStep(
@@ -3255,7 +3257,9 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and conf = mid.getConfiguration() and
cc = mid.getCallContext() and cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and localCC =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp() ap0 = mid.getAp()
| |
localFlowBigStep(midnode, node, true, _, conf, localCC) and localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2220,7 +2220,9 @@ private module Stage4 {
bindingset[node, cc, config] bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and localFlowEntry(node, config) and
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node)) result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
getNodeEnclosingCallable(node))
} }
private predicate localStep( private predicate localStep(
@@ -3255,7 +3257,9 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and conf = mid.getConfiguration() and
cc = mid.getCallContext() and cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and localCC =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp() ap0 = mid.getAp()
| |
localFlowBigStep(midnode, node, true, _, conf, localCC) and localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -2220,7 +2220,9 @@ private module Stage4 {
bindingset[node, cc, config] bindingset[node, cc, config]
private LocalCc getLocalCc(Node node, Cc cc, Configuration config) { private LocalCc getLocalCc(Node node, Cc cc, Configuration config) {
localFlowEntry(node, config) and localFlowEntry(node, config) and
result = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(node)) result =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
getNodeEnclosingCallable(node))
} }
private predicate localStep( private predicate localStep(
@@ -3255,7 +3257,9 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, SummaryCt
conf = mid.getConfiguration() and conf = mid.getConfiguration() and
cc = mid.getCallContext() and cc = mid.getCallContext() and
sc = mid.getSummaryCtx() and sc = mid.getSummaryCtx() and
localCC = getLocalCallContext(pragma[only_bind_out](cc), getNodeEnclosingCallable(midnode)) and localCC =
getLocalCallContext(pragma[only_bind_into](pragma[only_bind_out](cc)),
getNodeEnclosingCallable(midnode)) and
ap0 = mid.getAp() ap0 = mid.getAp()
| |
localFlowBigStep(midnode, node, true, _, conf, localCC) and localFlowBigStep(midnode, node, true, _, conf, localCC) and

View File

@@ -168,7 +168,13 @@ module Consistency {
msg = "ArgumentNode is missing PostUpdateNode." msg = "ArgumentNode is missing PostUpdateNode."
} }
query predicate postWithInFlow(PostUpdateNode n, string msg) { // This predicate helps the compiler forget that in some languages
// it is impossible for a `PostUpdateNode` to be the target of
// `simpleLocalFlowStep`.
private predicate isPostUpdateNode(Node n) { n instanceof PostUpdateNode or none() }
query predicate postWithInFlow(Node n, string msg) {
isPostUpdateNode(n) and
simpleLocalFlowStep(_, n) and simpleLocalFlowStep(_, n) and
msg = "PostUpdateNode should not be the target of local flow." msg = "PostUpdateNode should not be the target of local flow."
} }

Some files were not shown because too many files have changed in this diff Show More